LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-05-2003, 12:55 PM   #1
kemu
LQ Newbie
 
Registered: May 2003
Posts: 3

Rep: Reputation: 0
chrooting vsftpd


Hey
I've installed vsftpd on my redhat system.
When a normal user log's in he can browser almost my whole hd.
I would like him only to be able to move around in his own homedir.
How can I do this ?
 
Old 05-05-2003, 02:18 PM   #2
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 79
Take a look at my post here:
http://www.linuxquestions.org/questi...961#post293961
 
Old 05-05-2003, 02:20 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Hello and welcome to LQ.
For starters have a look at this thread (we've got excellent search facilities here at LQ) and your vsftpd docs.
 
Old 05-05-2003, 02:35 PM   #4
kemu
LQ Newbie
 
Registered: May 2003
Posts: 3

Original Poster
Rep: Reputation: 0
sorry should have asked my question a bit better.
What I mean is I have a user chrooted using jailchroot, under /var/chroot/home/chroottest. I did this to secure users loggin in by ssh.
Now the user chroottest can't login by ftp using vsftpd I allways get wrong passwd. How can I make sure chrooted users using chrootjail can login by ftp using vsftpd ?
An other thin about chrootjail. Users still can move around in the "/" dir view files ...
I know there is a way to stop users from doing that only don't know how ...
I know it has something to do with groups is there any article that deals about these things ... so in example if a jail chrooted user does "ls /" he gets permission denied

Last edited by kemu; 05-05-2003 at 03:16 PM.
 
Old 05-06-2003, 06:42 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
What I mean is I have a user chrooted using jailchroot, under /var/chroot/home/chroottest. I did this to secure users loggin in by ssh. Now the user chroottest can't login by ftp using vsftpd I allways get wrong passwd. How can I make sure chrooted users using chrootjail can login by ftp using vsftpd ?
Not a direct answer to your question, but if you only use "chrootjail" to isolate a Ssh user, there is a patch[1] to OpenSSH that can chroot users. That would help avoid conflicts with other apps because for instance it doesn't need modification of /etc/passwd data.

If you want to work things out with your current setup then you need to fix the authentication stuff. Login and look in the vsftpd log for errors, else make it log in verbose or debug mode, else run it through strace to look for errors: "strace -v -o /tmp/strace.log /path/to/vsftp <vsftpargs>". Then post your vsftp configs, logfile, errors and the strace log running vsftp.

Else look at vsftpd's "virtual users" option which supposedly doesn't need /etc/passwd (I think the error is there or with PAM) and such at all. Look in the docs under EXAMPLE/VIRTUAL_USERS_2/README.


An other thin about chrootjail. Users still can move around in the "/" dir view files ...
If you're sure[2], then you made a configuration error.
AFAIK you should review your setup in /etc/passwd.

I know there is a way to stop users from doing that only don't know how ...
I know it has something to do with groups is there any article that deals about these things ... so in example if a jail chrooted user does "ls /" he gets permission denied

No. A chrooted user is never denied access to root ("/"), because they need access to system binary dirs like /bin and /usr/bin.
A chroot that's set up properly contains a "mirror" of the root filesystem including for instance authentication files in </chroot dir>/etc, libs in </chroot dir>/lib and the necessary binaries.
That's why I favour "jail": it set's up the basic chroot I only have to tweak, like for instance replacing Bash and GNU utils with busybox.


Also please note the 1st thread in this forum contains some handy references on security in general, including chrooting etc etc.


[1] Chrooting OpenSSH:
http://chrootssh.sourceforge.net/patches/
http://mail.incredimail.com/howto/openssh/
http://debian.chains.ch/chroot/chroot.html

[2] amIJailedOrWhat.c
Code:
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>

int main(int argc, char **argv) {
  struct stat x;

  if (stat("/", &x)) {
    printf("Unable to stat /");
    exit(EXIT_FAILURE);
  }

  if (x.st_ino==2) {
    printf("Account is NOT chrooted.\n");
  } else {
    printf("Account is chrooted OK.\n");
  }
  exit(EXIT_SUCCESS);
}
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
chrooting mysqld gk_ Linux - Software 2 08-10-2005 12:13 PM
chrooting nucleocide Linux - Software 2 08-08-2005 04:30 PM
chrooting advice reesee Linux - Security 1 07-14-2004 05:00 PM
chrooting account in VSFTPD dkc_ace Linux - Software 1 08-07-2003 04:07 PM
Quick Q on 'chrooting'... tarballed Linux - Security 2 07-17-2003 11:15 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration